Category: EU

Advocate General: No Valid Cookie Consent When Checkbox Is Pre-ticked

25. March 2019

On 21 of March Maciej Szpunar, Advocate General of the European Court of Justice, delivered his Opinion in the case of Planet24 GmbH against Bundesverband Verbraucherzentralen und Vebraucherverbände – Verbaucherzentrale Bundesverband e.V. (Federal Association of Consumer Organisations). In the Opinion, Szpunar explains how to obtain valid consent for the use of cookies.

In the case in question, Planet24 GmbH has organised a lottery campaign on the internet. When registering to participate in the action lottery, two checkboxes appeared. The first checkbox, which did not contain a pre-selected tick, concerned permission for sponsors and cooperation partners to contact the participant in order to inform him of their offers. The second checkbox, which was already ticked off, concerned the consent to the setting of cookies, which evaluate the user’s surfing and usage behaviour.

The Federal Association held that the clauses used infringed german law, in particular Article 307 of the BGB, Article 7(2), point 2, of the UWG and Article 12 et seq. of the TMG and filed a lawsuit in 2014 after an unsuccessful warning.

In the course of the instances, the case ended up at the German Federal Supreme Court in 2017. The German Federal Court considers that the success of the case depends on the interpretation of Articles 5(3) and 2(f) of Directive 2002/58, read in conjunction with Article 2(h) of Directive 95/46, and of Article 6(1)(a) of Regulation 2016/679. For that reason, it asked the European Court of Justice the following questions for a preliminary ruling:

(1) Does consent given on the basis of a pre-ticked box meet the requirements for valid consent under the ePrivacy Directive, the EU Data Protection Directive and the EU General Data Protection Regulation (the GDPR)?

(2) What information does the service provider have to provide to the user and does this include the duration of the use of cookies and whether third parties have access to the cookies?

According to the Advocate General, there is no valid consent if the checkbox is already ticked. In such case, the user must remove the tick, i.e. become active if he/she does not agree to the use of cookies. However, this would contradict the requirement of an active act of consent by the user. It is necessary for the user to explicitly consent to the use of cookies. Therefore, it is also not sufficient if one checkbox is used to deal with both the use of cookies and participation in the action lottery. Consent must be given separately. Otherwise the user is not in the position to freely give a separate consent.

In addition, Szpunar explains that the user must be provided with clear and comprehensive information that enables the user to easily assess the consequences of his consent. This requires that the information provided is unambiguous and cannot be interpreted. For this purpose, the information must contain details such as the duration of the operation of cookies, as well as whether third parties have access to the cookies.

The EU Commission fined Google 1.49 billion euros regarding antitrust case

21. March 2019

On Wednesday Google was fined 1.49 billion euros by the European Commission in connection with hindering competitors in the online advertising business.

The accusation is that Google has illegally made use of its market dominance.The company inflicted a number of exclusivity clauses in contracts with third-party websites which prevented the company’s competitors from positioning their search adverts on these websites. This concerns a small area in Google’s “advertising machinery”. But still, as a result, other advertisers and website owners “had less choice and likely faced higher prices that would be passed on to consumers,” claimed the EU’s competition commissioner, Margrethe Vestager.

In the last two years, this represents the third time that Europe’s antitrust regulators, lead by Danish competition commissioner Margarethe Vestagers, fined the tech company. Google has appealed against the two previous fines. The first fine (2.42 billions euros) was for manipulating online shopping results and directing visitors to its comparison-shopping service at the expense of its contestants. The second one amounting to 4.34 billion euros concerned mobilephone producers that were forced to use Google’s Android operating system to install the company’s search and browser apps.

Category: EU · EU Commission · European Union · General
Tags:

Cookiebot publishes „Ad Tech Surveillance on the Public Sector Web“

20. March 2019

The website Cookiebot recently published a report of its “Ad Tech Surveillance on the Public Sector Web”. They used their scanning technology to analyse tracking across official government websites and public health service websites in all 28 European Union member states. More than 100 advertising technology companies track EU citizens who visit those public sector websites by gaining access through free third-party services such as video plug-ins and social sharing buttons.

Said ad trackers were found on 25 out of the 28 official government websites in the EU. Only the Dutch, German and the Spanish websites had no commercial trackers. Most of them were found on the French website (52 trackers) followed by the Latvian website (27 trackers).

Cookiebot also investigated the tracking on Public Health Service Sites and found out that 52% of landing pages with health information contained ad trackers. The worst ranked one was the Irish health service with 73% of landing pages containing trackers. The lowest ranked country – Germany – still hat one third of its landing pages held trackers.

Those trackers got in via free third-party website plugins. For example, Ireland’s public health service (Health Service Executive (HSE)) installed the sharing tool ShareThis, which is like a Trojan horse that releases more than 20 ad tech companies into every Website it’s installed on.

Most of the tracking tools are controlled by Google. It controls the top three domains found and therefore tracks the visits to 82% of the main government websites of the EU. A complete list of all the trackers can be find in the published report.

Brexit: Deal or “No-deal”

12. March 2019

Yesterday evening, shortly before the vote of the UK parliament on the circumstances and if necessary a postponement of the Brexit, Theresa May met again with Jean-Claude Juncker in Strasbourg. Both sides could agree on “clarifications and legal guarantees” regarding the fall-back solution for Northern Ireland.

These (slightly) expand the United Kingdom’s (UK) opportunity to appeal to an arbitration court in the event that the EU should “hold the UK hostage” in terms of the membership of the customs union by means of the Backstop-Clause beyond 2020. This “legally binding instrument”, as Juncker said, intends to clarify that the Backstop-Clause on the Irish border is not to be regarded as a permanent solution. This shall also be confirmed in a joint political declaration on the future relations between the two sides. However, the wording of the complementary regulation is legally vague.

May is nevertheless confident that the British Parliament will approve the “new” agreement to be voted on tonight. Meanwhile, Jeremy Corbyn, Labour Party leader, has announced and urged to vote against the agreement. In any case, Juncker has already rejected further negotiations on adjustments to the current version of the withdrawal agreement, emphasizing that there will be no “third chance”. By 23rd May, when the EU elections begin, the Kingdom shall have left the EU.

The vote on “how” and “when” of the Brexit will be taken in the next few days, starting tonight at 8 p.m. CET. If the withdrawal agreement will be rejected again today, the parliament will vote on a no-deal Brexit tomorrow (the UK would then be a third country in the sense of the GDPR as of 30th March). In case this will also be rejected, on 14th March the parliament will eventually vote on a delay of the Brexit date. A postponement could then lead to a new referendum and thus to a renewed decision on the question of “whether” a Brexit will actually take place.

Category: EU · GDPR · General · UK
Tags:

Dutch DPA: Cookie walls do not comply with GDPR

11. March 2019

The Dutch data protection authority, Autoriteit Persoonsgegevens, clarified on 7th of March 2019 that the use of websites must remain accessible when tracking cookies are not accepted. Websites that allow users to access only if they agree to the use of tracking cookies or other similar means to track and record their behavior do not comply with the General Data Protection Regulation, GDPR.

The Dutch DPA’s decision was prompted by numerous complaints from website users who no longer had access to the websites after refusing the usage of tracking cookies.

The Dutch DPA noted that the use of tracking software is generally allowed. Tracking the behaviour of website users, however, must be based on sufficient consent. In order to be compliant with the GDPR, permission must be given freely. In the case of so-called cookie walls the user has no access to the website if he does not agree to the setting of cookies. In this way, pressure is exerted on the user to disclose his personal data. Nevertheless, according to the GDPR a consent has not been given voluntarily if no free or no real choice exists.

With publication of the explanation the Dutch DPA demands organizations to make their practice compliant with the GDPR. The DPA has already written to those organisations about which the users have complained the most. In addition, it announced that it would intensify its monitoring in the near future in order to examine whether the standard is applied correctly in the interest of data protection.

EDPB publishes information note on data transfer in the event of a no-deal Brexit

25. February 2019

The European Data Protection Board has published an information note to explain data transfer to organisations and facilitate preparation in the event that no agreement is reached between the EEA and the UK. In case of a no-deal Brexit, the UK becomes a third country for which – as things stand at present – no adequacy decision exists.

EDPB recommends that organisations transferring data to the UK carry out the following five preparation steps:

• Identify what processing activities will imply a personal data transfer to the UK
• Determine the appropriate data transfer instrument for your situation
• Implement the chosen data transfer instrument to be ready for 30 March 2019
• Indicate in your internal documentation that transfers will be made to the UK
• Update your privacy notice accordingly to inform individuals

In addition, EDPB explains which instruments can be used to transfer data to the UK:
– Standard or ad hoc Data Protection Clauses approved by the European Commission can be used.
– Binding Corporate Rules for data processing can be defined.
– A code of conduct or certification mechanism can be established.

Derogations are possible in the cases mentioned by article 49 GDPR. However, they are interpreted very restrictively and mainly relate to processing activities that are occasional and non-repetitive. Further explanations on available derogations and how to apply them can be found in the EDPB Guidelines on Article 49 of GDPR.

The French data protection authority CNIL has published an FAQ based on the information note of the EDPB, explaining the consequences of a no-deal Brexit for the data transfer to the UK and which preparations should be made.

The European Data Protection Board presents Work Program for 2019/2020

14. February 2019

On February 12, 2019 the European Data Protection Board (EDPB) released on their website a document containing a two-year Work Program.

The EDPB acts as an independent European body and is established by the General Data Protection Regulation (GDPR). The board is formed of representatives of the national EU and EEA EFTA data protection supervisory authorities, and the European Data Protection Supervisor (EDPS).

The tasks of the EDPB are to issue guidelines on the interpretation of key ideas of the GDPR as well as the ruling by binding decisions on disputes regarding cross-border processing activities. Its objective is to ensure a consistent application of EU rules to avoid the same case potentially being dealt with differently across various jurisdictions. It promotes cooperation between EEA EFTA and the EU data protection supervisory authorities.

The EDPB work program is based on the needs identified by the members as priority for individuals, stakeholders, as well as the EU legislator- planned activities. It contains Guidelines, Consistency opinions, other types of activities, recurrent activities and possible topics.

Furthermore, the EDPB released an information note about data transfers if a no-deal Brexit occurs. As discussed earlier, in this case the UK will become a so-called “third country” for EU member countries beginning from March 30. According to the UK Government, the transfer of data from the UK to the EEA will remain unaffected, permitting personal data to flow freely in the future.

The German Bundeskartellamt prohibits Facebook to combine their user data from different sources

7. February 2019

The Bundeskartellamt announced in a press release on their website on Febraury 7, 2019 that it imposes far-reaching restrictions on Facebook.

Up to now Facebook’s terms and conditions stated that users have only been able to use the social network under the precondition that Facebook can collect user data also outside of the Facebook website in the internet or on smartphone apps and assign these data to the user’s Facebook account. Therefore, all data collected on the Facebook website, by Facebook-owned services which includes Instagram and WhatsApp as well as on third party websites can be combined and assigned to the account of a Facebook user.

The authority’s decision affects said processing of user data in Germany and covers different sources of data.
Firstly, all social networks/services can continue to collect data under the existing laws. But the collected data can only be transferred to Facebook itself if consent is given by the data subject (the user). If such a consent is not given, the data cannot be assigned to an existing Facebook account. Secondly, the same applies to collecting data from third party websites.
Consequently, without the above mentioned consent Facebook will face far-reaching restrictions concerning collecting and combining data.

The Bundeskartellamt states as reason for this decision that in December 2018 Facebook had 1.52 billion daily active users and 2.32 billion monthly active users and therefore also occupies a dominant position in the German market for social networks. It further claims that the market share of Facebook concerning social networks in Germany is more than 95 % (daily active users) and more than 80 % (monthly active users). Therefore, the conclusion is drawn that the group with its subsidiaries WhatsApp and Instagram occupy a key position in the market which indicates a monopolisation process. Competitors like Google+, Snapchat, YouTube or Twitter or professional networks like LinkedIn or Xing provide only components of the services offered by the Facebook Group.

The authority’s decision is not yet final. Facebook has one month to appeal the decision to the Düsseldorf Higher Regional Court. The company has already announced that it will appeal against the decision.

Category: EU · General · German Law · Instagram · Personal Data
Tags:

Data Protection Day

28. January 2019

On the occassion of this year’s Data Protection Day, which was launched in 2006 by the Council of Europe, the Commission has issued the following statement :

“This year Data Protection Day comes eight months after the entry into application of the General Data Protection Regulation on 25 May 2018. We are proud to have the strongest and most modern data protection rules in the world, which are becoming a global standard.”

On January 28th in 2006, the Council of Europe’s data protection convention, known as “Convention 108”, was opened to signature. Data Protection Day is now celebrated globally and is called Privacy Day outside of Europe.

More than 50 countries around the world have already signed up to the convention, which sets out key principles in the area of personal data protection.

The convention has been ratified by the 47 Council of Europe member states and Mauritius, Senegal, Uruguay and Tunisia. Other countries such as Argentina, Burkina Faso, Cabo Verde, Mexico and Morocco have been invited to accede. Many more participate as Observers States in the work of the Committee of the Convention (Australia, Canada, Chile, Ghana, Indonesia, Israel, Japan, Korea, New-Zealand, United States of America).

Governments, parliaments, national data protection bodies and other actors carry out activities on this day to raise awareness about the rights to personal data protection and privacy. These may include campaigns targeting the general public, educational projects for teachers and students, open doors at data protection agencies and conferences.

 

European Commission adopts adequacy decision on Japan

The European Commission adopted an adequacy decision for Japan on the 23rd of January 2019, enabling data flows to take place freely and safely. The exchange of personal data is based on strong safeguards that Japan has put in place in advance of the adequacy decision to ensure that the transfer of data complies with EU standards.

The additional safeguards include:

– A set of rules (Supplementary Rules), which will cover the differences between the two data protection systems. This should strengthen the protection of sensitive data, the exercise of personal rights and the conditions under which EU data can be further transferred to another third country. These additional rules are binding in particular on Japanese companies importing data from the EU. They can also be enforced by the independent Japanese data protection authority (PPC) as well as by courts.

– Also, safeguards have been established concerning access by Japanese authorities for law enforcement and national security purposes. In this regard, the Japanese Government has given assurances to the Commission and has ensured that the use of personal data is limited to what is necessary and proportionate and is subject to independent supervision and redress.

– A complaint handling mechanism to investigate and resolve complaints from Europeans regarding Japanese authorities’ access to their data. This new mechanism will be managed and monitored by Japan’s independent data protection authority.

The adequacy decision has been in force since 23rd of January 2019. After two years, the functioning of the framework will be reviewed for the first time. The subsequent reviews will take place at least every four years.

The adequacy decision also complements the EU-Japan Economic Partnership Agreement, which will enter into force in February 2019. European companies will benefit from free data flows as well as privileged access to the 127 million Japanese consumers.

 

Pages: Prev 1 2 3 4 5 6 7 8 9 10 11 12 13 Next
1 2 3 4 13